The generative AI revolution is now well underway. GenAI is helping knowledge workers analyze data, uncover trends and patterns that would otherwise remain hidden, test new ideas and draft content. Analysts estimate that these productivity improvements will add between $2.6 and $4.4 trillion to the global economy each year.
But as GenAI systems proliferate, it’s becoming increasingly common for them to expose sensitive data, either inadvertently or because they were manipulated by bad actors. The number of data security incidents involving GenAI more than doubled during the first half of 2025, with GenAI now playing a role in nearly 15% of these events. In many organizations, GenAI adoption has come to seem like a double-edged sword: the more internal documents, emails, customer information, records and logs these tools ingest, the more useful they can be, but the broader their data access is, the more likely they are to stumble across confidential, proprietary or regulated information.
“This problem isn’t new,” says David O’Leary, Field Chief Information Security Officer – ASG Presales Engineering at SHI. “The organizations that had not built robust data governance—especially fine-grained, least-privilege access controls—before they adopted generative and agentic AI tend to find that these AI systems are ferreting out the preexisting weaknesses in their data security policies and architectures. The AI systems are just doing what they were designed to do—gather all the information that’s relevant to the prompt, ask for more, get smarter and reveal the results.”
Organizations that want to gain as much value as possible from AI-powered solutions without amplifying data security risks will need to ensure that best practice-based data protections are in place across their environment.
But how they discover and classify data, analyze risks and enforce policies can be modernized, and newer solutions promise to improve visibility across today’s complex hybrid and multi-cloud ecosystems. Security vendors are also leveraging AI to boost the capabilities of data loss prevention (DLP) and data security posture management (DSPM) tools.
The following four best practices are essential for robust data security in the age of AI.
#1: Enforce policies to ensure that the only employees who can access restricted data are those whose jobs require it.
The principle of least-privilege—which states that every user, system and process should be granted the access and permissions needed to get the job done, and nothing more—remains vital for reducing data risk and the potential blast radius of a successful attack. The core question for security leaders to ask remains: “Who should have access to which data?”
But the policies that needed to govern only human identities in the past now also need to constrain a skyrocketing number of non-human identities (NHIs) acting on behalf of employees, third-parties and even customers, which will require implementing a modern, full-lifecycle approach to NHI security.
#2: Use strong encryption or obfuscation to protect sensitive data at rest and in transit.
Encryption is critical because it’s the last line of defense for data. Even if bad actors capture or exfiltrate sensitive information, they can’t make use of it if they can’t decrypt it. The key challenge is identifying all the data that should be encrypted, figuring out where it is stored, how it is used and whether its protections are adequate.
“Today’s DLP and DSPM tools are leveraging AI to find sensitive information, regardless of whether it’s stored in a cloud database, a flat file or on the hard drive of an employee’s laptop,” O’Leary says. “They’re getting much better at classifying and tagging that data, which underpins all of data security, including encryption.”
#3: Adopt an architectural approach, where data discovery and protection are integrated across the entire organization.
Data protection works best when it operates at scale. Integrating mechanisms for data classification, encryption and access management into the enterprise architecture ensures that policies will be enforced consistently across the entire organization and vulnerabilities will be reduced systemically.
Centralizing functions such as key and secrets management, identity and access controls and logging gives security operations teams consistent visibility, making it easier to monitor for policy violations and compliance risks. Integrating data security into system design from the start helps ensure ongoing resilience and is simpler than trying to add controls retroactively.
#4: Implement continuous monitoring and real-time alerting on anomalous data movements.
Continuous monitoring makes it possible to detect risky data movements or exfiltration as it is taking place, the only time when these activities can be stopped. No matter how well-thought-out your policies are, they’re not useful for protecting your data if they can’t be enforced in real time. New AI-driven DLP tools can monitor for security policy violations and compliance risks on an ongoing basis while delivering fewer false positive alerts than legacy solutions.
In addition to enabling incident detection and response, continuous monitoring capabilities simplify compliance with multiple regulations and frameworks. The same tools that deliver real-time visibility can gather logs and evidence that data protection policies are being enforced across the organization.
None of these best practices are novel, but the urgency of adhering to them is greater today as AI adoption expands the attack surface, opens new channels for exfiltration, and increases technology ecosystem complexity, making visibility more challenging to maintain. The good news is that boards and C-suite executives are paying attention.
“Many of the organizations I work with have launched major data security initiatives over the past year,” says O’Leary. “They realize that there’s a ton of data sprawl, they know the business wants to push the envelope with AI innovation and they’re thinking about preparing for the future arrival of quantum computing. So they’re adding DLP and DSPM products, they’re creating cross-functional teams to look at data security issues and they’re trying to address these problems at an architectural level.”
These investments bode well for the future of data security.
Interested in benchmarking your organization’s data security approach against those of your peers? Learning more about how industry leaders are thinking about today’s biggest cybersecurity challenges by downloading SHI and Stratascale’s 2026 Cyber Trends Report.
